Lessons from the Cosmos Bank attack

In August this year, Cosmos Bank became the latest victim of a major cyber-attack. Hackers breached the bank’s ATM switch server in Pune, stealing details of multiple Visa and Rupay debit card owners. The details were then used to carry out around 12,000 fraudulent transactions across 28 countries on August 11 – with a further 2,841 transactions taking place in India.

The attack didn’t stop here. Two days later, on August 13th, in another malware attack on the bank’s server, a SWIFT transaction was initiated – transferring funds to the account of ALM Trading Limited in Hanseng Bank, Hong Kong.

The total losses from the attack stand at INR 94 crore, or 13.5 million USD. Cosmos Bank was forced to close its ATM operations and suspend online and mobile banking facilities.

Malware attack: The core banking system (CBS) of the bank receives debit card payment requests via a ‘switching system’. During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system.

ATMs compromised: When depositors withdraw money at ATMs, a request is transferred to the respective bank’s CBS. If the account has sufficient balance, the CBS will allow the transaction. In the case of Cosmos Bank, the malware created a proxy system that bypassed the CBS. While cloning the cards and using a ‘parallel’ or proxy switch system, the hackers were able to approve the requests – withdrawing over INR 80.5 crore in approximately 15,000 transactions.

Reserve Bank of India (RBI) guidelines: RBI has clear guidelines to protect against incidents such as the Cosmos Bank attack which must be followed. The security measures across Indian banks are moderate and given the high level of coordinated international attacks, all banks need to upgrade their security mechanisms.

Why is this attack more serious?

Just a few days prior to this attack, the American FBI had warned banks of a major hacking threat to ATMs worldwide. According to Krebs On Security, the influential cyber-security blog run by journalist Brian Krebs, a confidential alert to international banks informed them that criminals were plotting an imminent, concerted global malware attack on ATMs.

Smaller banks with less sophisticated security systems were believed to be most vulnerable to attack – with a scheme known as ‘ATM cash-out’ as the likely approach that the criminals might take. This is where crooks hack a bank or payment card processor and use cloned cards at ATMs around the world to fraudulently withdraw millions of dollars in just a few hours.

Banking experts and industry players fear this could be a ‘pilot run’ unless the authorities take the attack seriously. Essentially, this malware attack was not against any bank but rather, the banking system. It was carried out at international scale in a meticulously coordinated manner.

Alert type – Severe

How can I protect my enterprise?

To defend your company from the spread of malware, it’s essential that you are equipped to detect and defeat such threat in real-time.

These are our recommended immediate best practices:

Back up data regularly – verifying data integrity and testing the restoration process

Secure your offline backups – ensuring backups are not connected permanently to the computers and networks they’re backing up on